SQL Injection with SQLmap and Python Library Privilege Escalation | TryHackMe Biblioteca

Introduction

This post outlines a detailed process of compromising a virtual machine, TryHackMe Biblioteca. beginning with information gathering and port scanning to identify open services like SSH and a web server on port 8000. It then describes web enumeration using tools like Gobuster to discover hidden directories and pages, specifically the login page.

The next critical step involves vulnerability scanning for SQL injection on the login form, leveraging a simple payload to confirm its susceptibility. This leads to the exploitation of SQL injection using SQLmap to dump database records, including usernames and passwords.

With these credentials, the first foothold is established via SSH login. The process then shifts to privilege escalation, initially by exploiting password reuse to gain access to a less privileged user, “Hazel.” Finally, root access is achieved through Python library hijacking, manipulating environment variables to execute custom code within a Python script that Hazel is permitted to run as root, ultimately providing a reverse shell with elevated privileges.

What methodologies and tools are demonstrated for identifying and exploiting web vulnerabilities?

Methodologies for Identifying and Exploiting Web Vulnerabilities

1.Information Gathering and Scanning: The initial step involves mapping the host and environment to identify open ports and services. For the “Pavlotika” machine, an Nmap scan revealed two open ports: 22 (running SSH) and 8000 (running a web server).

2.Web Enumeration: After initial scanning, if no credentials for services like SSH are immediately available, the process moves to web enumeration. This involves visiting the web page on the identified port (8000), understanding its structure, and examining the page source for hidden information.

A critical part of web enumeration is directory search or directory brute force to uncover hidden files and directories on the website. This led to the discovery of pages like /login, /register, and /logout.

Vulnerability Identification (SQL Injection): Upon encountering a login form, two paths are generally considered: password brute force or a vulnerability scan. Password brute force (using tools like OWASP ZAP or Hydra) is mentioned but is described as the least preferred method.

The preferred path is to perform a vulnerability scan on the web server to determine if the form is susceptible to SQL Injection. SQL Injection is a vulnerability that affects databases, allowing an attacker to extract full records, including usernames, passwords, and potentially hashes.

To save time in an engagement, manual testing with simple SQL Injection payloads is demonstrated to confirm vulnerability. For instance, providing a payload such as ‘ OR 1=1 — in the username field successfully logged in as “smokey,” indicating the vulnerability.

4. Exploitation (SQL Injection): Once a target is confirmed as vulnerable to SQL Injection, the next step is full exploitation to dump the database records.

The primary objective of this exploitation is to obtain credentials like usernames and passwords….

Tools Demonstrated for Web Vulnerabilities

Nmap: Used for initial information gathering and scanning to discover open ports and services on the target machine. In this case, it identified port 22 (SSH) and port 8000 (web server).

Gobuster: A tool specifically used for directory search or directory brute force. It helps in finding hidden files and directories on a website.

The command gobuster dir -u http://[IP]:8000 -w [wordlist_path] was used with a wordlist like directory list medium to enumerate directories. This process successfully discovered /login and /register pages with a 200 status code, indicating their existence.

Manual SQL Injection Payloads: Instead of a full vulnerability scanner, a simple payload like ‘ OR 1=1 — (specifically, with a space and single quote at the end) was supplied to the username field. This successfully allowed a login as “smokey,” confirming the SQL Injection vulnerability without needing external tools.

SQLMap: The central tool for SQL Injection testing and exploitation. After confirming the vulnerability manually, SQLMap was used to perform full exploitation.

The command sqlmap -u [URL] –data “username=test&password=test” –dump –dbs (or using –auto-detect) was employed. SQLMap identified the username parameter as vulnerable (specifically, time-based blind and union query SQL injection types). It also identified the backend Database Management System (DBMS) as MySQL.

Crucially, SQLMap was used to dump records from the database, extracting the username “smokey” and its corresponding password.

OWASP ZAP and Hydra: These tools were mentioned as options for password brute force in login forms. OWASP ZAP is described as a “prominent vulnerability scanner,” and Hydra is a “specialized tool in cracking or finding the username and password”. However, these tools were not directly demonstrated or used in the presented web vulnerability exploitation path for this scenario.

Burp Suite: Mentioned as an alternative method to capture web requests and supply them to SQLMap, instead of using the –data switch. However, it was not directly demonstrated in the provided steps.

You can find the flags below and a video walkthrough as well. We covered SQL injection with Sqlmap and privilege escalation through python libraries.